The Journey to a Secure Managed Service Provider

In the fall of 2018, we began tracking a material shift in cyber threat actors targeting more managed service providers (MSPs) and small and medium businesses (SMBs), instead of their usual enterprise targets. Cyber criminals honed in on high profile remote monitoring and management (RMM) products as a favored tool for attacks and in Q4 of 2019, we took thoughtful and deliberate action to require mandatory two-factor authentication (2FA) for all Datto RMM users.

Fast forward to 2020. It goes without saying that the path we are on has taken a few sharp turns. We’re in a truly unprecedented time, with the majority of MSPs navigating a world of clients and staff working from home. As such, the security threat landscape has continued to evolve. The number of security investigations performed by our security team in the last 90 days far outpaces the total number of incidents opened in the entire history of Datto. I say this not with the intention to frighten you, but to empower you, and to remind you that we have your back.

Within the last 30 days, Datto experienced what we believe to be a targeted, low and slow credential stuffing attack. These attacks reuse credentials breached in past compromises (unaffiliated with Datto) to attempt access to accounts. While 99%+ of the attempts failed, hundreds of valid accounts had access attempts with those previously leaked credentials obtained from large credential dumps, known as Collections. We know with certainty that the vast majority of attacks on our partners are unsophisticated and involve the use of compromised user credentials. We also know that when partners protect their technologies using Datto’s Secure Deployment Best Practices for BCDR, PSA and RMM they’re significantly more secure. When configured to our secure recommendations, we have observed zero security incidents to date.

While we have been building our security best practices and encouraging partners to configure them accordingly, we know this is not enough as history indicates that only 30% of partners make modifications to adopt those security settings. There is more to be done to move the needle. So we listen, we learn, and we continue to iterate.

We listened and we learned

Earlier this year we introduced the Security Admin role in the Datto Partner Portal. This role permits up to two users to tightly manage the security controls of your company. This also includes having the ability to securely send one time passcodes for any user that is locked out of their account due to factors affecting the inability to login due to 2FA. Security Admins may also configure Duo for the company to promote a consolidated login experience for all employees.

Where does this road take us next?

• By the end of this year, all users will be authenticated to Datto products using Datto SSO (a.k.a AuthWeb). A single login experience for all users reduces the likelihood of multiple usernames and passwords and provides a unified Datto login experience.
  • On June 10th, Datto Workplace and File Protection completed migration to Datto SSO.
  • By the end of July, PSA users will be able to take advantage of a whiteglove service that will allow users to migrate to Datto SSO using OpenID Connect.
• One of the most prominent requests we hear from partners is the desire for more authentication options, namely Duo, which provides an expansive suite of 2FA tools (including push and YubiKey support) and a plethora of self-service options. We’ve spent the last few months working hard to deliver a native integration with Duo and I am happy to report that this option is in active beta today.
• Required 2FA for all users:
  • By the end of June, all users authenticating through Datto SSO will be required to have 2FA configured. This includes existing and new partners and client users.
  • For PSA users awaiting migration to Datto SSO in a multi-phased approach, mandatory 2FA began rolling out across users on June 9th. These users will be required to configure 2FA within the PSA product.

We continue to iterate

While I recognize that it may feel challenging to adapt to this new environment that our path is taking us on, I commit to always be listening, learning, and working alongside partners to expand our features and functionality for a secure, optimal user experience. As we strive to achieve the best possible balance between security and user experience, we will continue to prioritize the protection of MSPs. Here are some exciting features you can look forward to coming down the pike:

• Bring your own Authentication/SSO: Integration with your own authentication experience using Okta, Azure Active Directory, or the like.
• Native Hardware Token 2FA support: Universal support for hardware tokens supporting the U2F protocol, such as Yubikey, for a robust authentication experience.
• Device Trust: The combination of user trust and device trust ensures your applications are only accessible by the devices you permit.
• Active Session Management Enhancements: Initially, this includes the ability to manage how frequently users are prompted for 2FA as well as the ability to monitor and take action on active user sessions.

Thank you for taking this journey with me. I look forward to continuing the conversation. Our team welcomes any feedback, and you can reach us at: productsecurity@datto.com.